WordPress.org

Ready to get started?Download WordPress

Forums

[Plugin: Post Thumb Revisited] DO NOT USE THIS PLUGIN!!!!!!!!!!!!! (13 posts)

  1. jensimmons
    Member
    Posted 5 years ago #

    This was a great plugin by Alakhnor. Until something happened and spammers hacked into his systems and took over the code.

    I used Post Thumb Revisited happily for months on a client's site. Then one day the site's navigation menu (which is created by another plugin) disappeared. Weird. So I put it back. Then something else really weird happened. (Funny, it seems I've blocked the details from my memory... sorry to be vague. Guess I just didn't want to remember the craziness.) Then disasters began that caused the site to be totally unusable. I went to pull from my backups (made faithfully by WP Database Backup... or so I thought), and I discovered no backups had been made for months. I was working on it one day and as I was fixing one thing, others were breaking before my very eyes. All seemingly unrelated things. I felt like i was trying to stitch a seam into an antique fabric that was tearing worse and worse as I touched it.

    Many hours later I figured out Post Thumb Revised was the cause. The word on the internets was that the plugin has been hacked. I could see malicious code all over my clients installation.

    In the end I got everything back. I erased all the files from the server, installed fresh brand new versions of everything (WP core, theme core, all plugins) since the malware robots were breaking other plugins. I copied over the uploads directory, and the files specific to my custom theme. I prayed the database wasn't corrupted, and that everything would just work out, since i couldn't restore an older db version.

    It did. Everything turned out fine, after days of repairs.

    I replaced this plugin with WP Post Thumbnail.
    http://wordpress.org/extend/plugins/wp-post-thumbnail/
    It works differently, but well. And the good thing about WP Post Thumbnail, is that if you turn it off and delete it (or it breaks or goes crazy), all of the older posts with thumbnails still work and still display the image.

    Hopefully, Automattic will delete this plugin from wordpress.org. It really shouldn't be here anymore. Well, unless Alakhnor returns to reclaim the code from the malware hackers, or someone else forks the code and recreates this plugin without the problems.

    Until then, stay far far away from this code.

    http://wordpress.org/extend/plugins/alakhnors-post-thumb/

  2. d910qf
    Member
    Posted 5 years ago #

    Many hours later I figured out Post Thumb Revised was the cause. The word on the internets was that the plugin has been hacked. I could see malicious code all over my clients installation.

    Can you provide specifics? I use this plugin regularly without issue. I am happy to go through the code and check - it is doubtful that the plugin code has been altered without anyone noticing.

    His website did have a problem with malicious code at some point, but this was dealt with and is a completely seperate issue to what is contained in the plugin.

  3. Len
    Member
    Posted 5 years ago #

    The author's web site is still hacked. It is also running WP 2.5 (no wonder it is hacked)

    I haven't looked at the plugin but I certainly wouldn't download anything from that site right now.

  4. Marcomail
    Member
    Posted 5 years ago #

    which version of this script it's hacked ?

  5. Len
    Member
    Posted 5 years ago #

    I have no idea if the plugin is hacked as I haven't looked at it. If it is downloaded from WordPress then I assume it is good to go. However the author's site remains hacked so the point I was making is don't download anything from there.

  6. jensimmons
    Member
    Posted 5 years ago #

    I was running version 2.2.1.b. I believe I did download the plugin from wordpress.org, since I now always download plugins from wordpress.org (and now themes too), and not from author websites (for this exact reason) — but honestly, I can't be 100% sure. Perhaps I made a mistake and got it from Alakhnor's site.

    I also don't remember what the hacked code looked like — or rather, I'm getting the details of this mess mixed up with the details of another site that got hacked around the same time. On this other site, spam robots broke into an old WP installation (2.3 I believe) and hacked the theme with link spam. I spent hours fixing that other site the same week this one broke, and all the details are mixed together in my head. If I had realized this plugin had turned to malware, I would have taken notes as I went along — and I'd have more details. A las, I guess we should all always be taking notes.

    If you are already using this plugin, I would just make sure to keep great backups of everything — especially your database. Hopefully, you won't have any trouble. But if you do have mysterious problems, remember it could be this plugin. My first sign of trouble came when other plugins were being disrupted.

    Perhaps I should modify my warning to say if you have not used this plugin, and are looking for something like this, use WP Post Thumbnail instead.
    http://wordpress.org/extend/plugins/wp-post-thumbnail/
    Not only will using WP Post Thumbnail help you avoid the malware, but I expect Stanley Yeoh will be updating and maintaining his plugin, while Post Thumb Revisited has not been updated in almost a year. It's alway better to use a plugin that's being actively maintained over one that is not.

    Good luck!

  7. Marcomail
    Member
    Posted 5 years ago #

    My site with post-thumb has been hacked, i don't know if the problem is this plugin, but i 've find the malicious code of the webshell c99madshell in this folder /wp-content/plugins/post-thumb/js/highslide/graphics/ , so i think about this post....do you think it's a strange coincidence or not ?

  8. howkliu
    Member
    Posted 5 years ago #

    I got this fixed.
    I checked my basic options like this:
    Folder name: wordpress/wp-content/uploads/thumbs
    Default image: wordpress/wp-content/plugins/post-thumb/images/default.png

    thumbs folder rights should be 777

  9. neuville
    Member
    Posted 5 years ago #

    Hallo,
    also my site was hacked about an year ago (I still don't know if the cause is postthumb...)

    I cannot read here more details on the hacks, but at the wp directory they deleted the plugin, so I feel it could be because the plugin itself contains spyware or the author does not longer support it...

    The matter is: I'm still using it, I need to replace it with another (maybe the plugin do not contain malicious stuff, but... who knows?). What is the best? I've tried autothumb but it's not working on my website (It's not supported as well); also, I need something that will make thumbs of videos, and postthumb is still the unique providing this feature.

    any suggestion?

  10. neuville
    Member
    Posted 5 years ago #

    Just another thing: I'm seeing WP Post Thumbnail is not updated since about one year and it's not compatible with WP 2.7.1... any valid alternative?

  11. darknailblue
    Member
    Posted 5 years ago #

    it works fine with wp 2.7.1

  12. lsaboya
    Member
    Posted 4 years ago #

    The Masterplan theme uses post-revisited. IS it dangerous too?
    http://themasterplan.in/tma

    This pluigin version in google code is hacked also?

    http://code.google.com/p/post-thumb-revisited/

    []s

  13. Mark
    Member
    Posted 4 years ago #

    In WordPress 2.9, you can simply use the built-in thumbnail function. See http://markjaquith.wordpress.com/2009/12/23/new-in-wordpress-2-9-post-thumbnail-images/ for the details.

Topic Closed

This topic has been closed to new replies.

About this Topic